[Freedombox-discuss] PageKite relay service; risks, community and collaboration?

[Bjarni Runar Einarsson]

Hello Freedombox folks!

tl;dr: There are security risks involved in running PageKite
relays which I wanted to warn you about. I'm also wondering if
folks here are interested in collaborating to build a
community-run free-of-charge network of PageKite relays.


Sorry, this got long...

It's been a while since I posted anything here; for those of you
who don't remember me, I'm the author of PageKite (owner/operator
of https://pagekite.net/) and the lead developer on Mailpile.
I've been lurking on this list for ages.

For the rest of this e-mail I'm going to just assume that
FreedomBox, Mailpile and similar personal-home-server solutions
will never succeed in reaching the masses without PageKite (or
something just like it). Folks who disagree may want to stop
reading now. :-)

Unfortunately, if we consider PageKite.net's current business
model (my paycheck...), it's pretty clear that it will hinder
adoption if every single user has to pay a small fee to connect
to the network. Freedom is important, but folks are also very
price-sensitive about network services. People are so used to
free stuff online, that convincing them to pay a subscription for
something like PageKite is a very hard sell.

If we want efforts like the FreedomBox to succeed, eliminating
friction like this is important. When I am wearing my Mailpile
hat, I struggle with this same concern.

(Makers of embedded server products currently solve this exact
issue by purchasing PageKite accounts in bulk and including the
expected costs in the price of the hardware that is sold. This is
a viable model, but I suspect it's not one that appeals strongly
to this particular community...)

In any case, it would be *really cool* if PageKite service were
available free of cost, provided and supported by a community,
similar to the Tor relay network. I haven't tried to build such a
thing yet and I'd like to tell you why... and why I might be
about ready to change my mind and work on this.

I'm bringing this conversation to the FreedomBox list, because of
two things: it appears freedombox.me is trying to clone
pagekite.net, with less friction and no money involved;
community-run-relays might be a natural evolutionary direction
for that project. I also saw in Plinth's github someone
requesting the ability for one FreedomBox to be a PageKite relay
for another. Both of these ideas must be approached with care, or
users will be harmed.


The main concerns:

0) Users of a pagekite.me-style service are completely at the
mercy of the person who provides them with a sub-domain. Adding
some volunteers and decentralization to the mix at the relay
stage doesn't actually solve the main social/political problems -
the domain owner still controls everything.

1) PageKite relays can be abused in much the same way as Tor exit
nodes - if anyone can volunteer to run a relay, some will do so
for antisocial reasons, in particular to spy on the traffic. Or
worse; to manipulate the traffic, injecting ads, malware etc.
Using your friends' relays is NOT a solution, few people are more
interested in spying on you than your friends, relatives and
coworkers.

2) Phishing campaigns regularly try to use PageKite relays to
anonymize their operations. If they succeed, then PageKite relays
get automatically blacklisted in various firewalls, preventing
legitimate users from accessing their kites.

3) Fly-by-night makers of cheap home-server devices may try to
freeload off the community network without contributing anything
back.

Points 1) and 2) are critical security issues, point 0) begs the
question "what's the point?" I am not sure whether 3) is a bug or
a feature!

Neither of the security risks is theoretical; Tor exit node
manipulation is common and I shut phishers down on pagekite.me on
a regular basis. I have managed these risks at pagekite.net
through careful monitoring and manual oversight - and by charging
money so I know who my users are and they know who they're doing
business with.


Addressing these concerns in a community pagekite service:

0) Centralized control can be reduced somewhat by having multiple
service domains and multiple providers of DNS and pagekite
authentication, and by encouraging users to use their own
domains. While domains cost money, users will be jeopardize their
freedom/security in exchange for a free sub-domain.

1) End-to-end encryption may prevent tampering and spying on
content; protecting metadata from the relay operators is largely
impossible unless everyone uses Tor (in which case you might as
well just use a Tor hidden service and skip PageKite).

For e2e crypto, we have to deal with TLS certificates which has
made this impractical until now. Letsencrypt.org may help, but
it's unclear to me whether anything prevents the relay operator
from simply using letsencrypt.org to set up their own MITM
anyway. Hopefully letsencrypt.org monitor things well enough and
warn certificate owners about re-issued certs...

Another attack vector, if the TLD owner and the relay operator
are one and the same (this is currently the case with both
pagekite.me and freedombox.me), then the owner of the TLD can
register a wild-card certificate and use that to MITM their
usres. Most users will never notice a thing. Security improves if
DNS management and relay operations are separated. This attack
can also be thwarted by only ever using sub-sub-domains
(foo.bar.freedombox.tld).

All of these risks can be mitigated if the users know how to use
browser plugins like Certificate Patrol, or know how to manage
self-signed certificates and navigate scary browser warnings. For
non-technical users, neither is appealing.

Clear-text HTTP relaying in a volunteer-run PageKite network
should be strictly forbidden; relay operators that offer
clear-text HTTP relaying should be blacklisted. (Who watches the
watchers?)

2) Phishing abuse has no solution except active policing of
relayed domains, or a high-friction non-anonymous signup process
(preferably involving money). It may be possible to automate
policing to a certain extent, but this will always be an arms
race.


Conclusion:

I think letsencrypt.org *may* be enough of a game-changer that it
is worth revisiting how to create a volunteer-operated relay
network and make the DNS side of the PageKite solution easily
installable, so a more diverse ecosystem can emerge.

On the other hand, it might still be premature - the demand isn't
there yet, is it? It's certainly not urgent.

Are there folks on this list that would be interested in
participating and providing resources to such an effort? I've got
my hand tentatively raised... :-) I've also had the domain
pagekite.org registered for ages, for exactly this use-case.

All the best,
 - Bjarni
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Encryption key for Bjarni Runar Einarsson.asc
Type: application/pgp-keys
Size: 14227 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151121/73e416e5/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151121/73e416e5/attachment-0001.sig>